Ramblings about security, rants about insecurity, occasional notes about reverse engineering, and of course, musings about malware. What more could you ask for?

Monday, December 12, 2016

Disqualifying votes in Michigan - how would this play in PA?

I'm a little late on this, but figured I'd discuss the issue anyway. I read a story that says that many of Clinton's votes in Michigan may be disqualified from the recount due to problems with the voting machines in precincts that heavily favor her. The issue has to do with reconciling vote tallies with voter sign in logs. The discrepancies in reconciliation have to do with old voting machines that may be faulty.

Interestingly, we only know of this because of the paper record that is generated in Michigan. But Pennsylvania uses pure electronic voting. How would this play there? As I ponder the idea of auditing an e-voting machine, what would happen if malware were found on the machine? Would you have to disqualify all of the votes? Since most machines are air-gapped, what if malware was found on the machine that programs or reads the PCMCIA cards for the e-voting machines? Do you disqualify all of the votes for the machines the infected computer came in contact with?

Yes, malware could technically change the paper backup used in many states too (as Cylance showed), but I'm more concerned about the Pennsylvania case since that's potentially going to be an issue sooner than later.

If finding malware on a machine invalidates votes, then the smartest way to hack an election is perhaps to compromise machines in the precincts where your opponent is heavily favored then trigger an audit. I'm not recommending this, just suggesting it's the logical conclusion to a strategy of removing votes for malware.

I don't have all the answers and I'm not trying to start trouble. But I would urge you to contact your state legislator and ask them how your state will handle issues of malware found on voting machines or those used to tally votes. If they don't have an answer, suggest that they sponsor legislation. Practically any legislation on the matter is better than the court battles that will inevitably occur in a legislative vacuum.

Update: a US District Judge just ruled that a recount cannot be held in PA, saying it cannot be completed before votes must be certified. Judge also says it "borders on the irrational" to suspect hacking occurred in Pennsylvania.